Cayman Islands Anti-Money Laundering Regulation Revisions

Key changes relate to:  

1. Country risk assessments
2. Virtual asset requirements
3. Supervisory Authority Reporting

The changes are yet another indication of the increased regulatory scrutiny around virtual assets across many jurisdictions. They also support the Cayman Islands’ efforts in improving its profile with the Financial Action Task Force (“FATF”).  

1. Country risk assessments 

The Revisions add a section relating to country/geographic risk assessments. Country money laundering and terrorist financing will be subject to researching credible source on certain criminal risks:  

In addition to the above, the Revisions also clarify that a country or geographical area cannot be considered “low risk” in terms of money laundering and terrorist financing if any the country or geographic area:  

• Has been identified by credible sources as not having effective systems to counter money laundering, terrorist financing and proliferation financing 
• Has been identified by credible sources as having significant levels of corruption, terrorism and money laundering 
• Is subject to sanctions related to its risk of money laundering, terrorist financing or proliferation financing by the United Kingdom or the United Nations
• Has been identified by the FATF as a country or geographic area to which counter-measures or enhanced due diligence measures proportionate to the risks should be applied 
• Is subject to a Cayman Islands Order made under section 201(3) of the Proceeds of Crime Law (2020 Revision)

2. Virtual Assets

Requirements relating to transfers of virtual assets are the most significant addition to the Revisions. 

2.1 Changes to definitions

In addition to references to several definitions under the Virtual Asset (Service Providers) Act (2022 Revision), the Revisions introduce a few new definitions, listed below:  

• “Batch file transfer of virtual assets”: several individual transfers of virtual assets which are bundled together for transmission
• “Beneficiary virtual asset service provider”: a virtual asset service provider (“VASP”) which receives a transfer of virtual assets on behalf of a beneficiary
• “Intermediary virtual asset service provider”: a VASP which 
  • Participates in the execution of a transfer of virtual assets
  • Is not the originating or beneficiary VASP
• “Originating virtual asset service provider”: a VASP which conducts a transfer of virtual assets on behalf of an originator

2.2 Transfers of virtual assets to a beneficiary

Originating VASPs will be required to collect simultaneously or concurrently with a transfer of virtual assets to a beneficiary VASP or obliged entity, either directly or indirectly:  

Originating VASPs will be required to ensure that transfers of virtual assets are conducted using a system which prevents the unauthorised disclosure of the above information to a person other than the originating VASP, the beneficiary VASP or the obliged entity. Finally, originating VASPs will be required to keep records of complete information on the originator and beneficiary for each transfer of virtual assets for at least five years. 

2.3 Obligations of beneficiary VASPs 

For each transfer of virtual assets, beneficiary VASPs will be required to collect:  

2.3.1 Batch file transfers of virtual assets 

For batch file transfers of virtual assets from a single originator, the above requirements shall not apply to the individual transfers of virtual assets bundled together if both of the following conditions are met: 

• The batch file contains:
  • The name of the originator 
  • Where an account is used to process the transfer of virtual assets by the originator: the account number of the originator 
  • The address of the originator 
  • The number of a Government issued document evidencing the originator’s identity or the originator’s customer identification number or date and place of birth 
• The individual transfers of virtual assets carry the account number of the originator or a unique identifier

Batch files will need to contain the name, account number or unique identifier of the beneficiary that is traceable in the beneficiary country. 

In addition to the above, beneficiary VASPs will also be required to  

1. Verify the accuracy of the information received 
2. Keep such information on record for at least five years
3. Have effective procedures in place in order to detect whether, in the messaging or payment and settlement/equivalent system in a transfer of virtual assets, the required information shown above 

Under the Revisions, the Cayman Islands specify they may ask originating and beneficiary VASPs to provide information in respect of a transfer of virtual assets.  

3. Transfers of virtual assets with missing or incomplete information about the originator 

Originating VASPs will not execute transfers of virtual assets where they are unable to collect information on the originator and beneficiary. 

Beneficiary VASPs will be required to:  

• Have effective systems in place to detect missing required information on both the originator and beneficiary
• Where detecting, while receiving transfers of virtual assets, that information on the originator required is missing or incomplete, beneficiary VASPS must do either of the following:
  • Reject the transfer of virtual assets
  • Request complete information on the originator
• Adopt risk-based policies and procedures for determining: 
  • Whether to execute, reject or suspend a transfer of virtual assets
  • The resulting procedures to be applied, where the required originator or beneficiary information is incomplete

Where an originating VASP regularly fails to supply the required information on the originator, the beneficiary VASP shall adopt reasonable measures to rectify noncompliance before: 

1. Rejecting any future transfers of virtual assets from that originating VASP
2. Restricting its business relationship with that originating VASP 
3. Terminating its business relationship with that originating VASP 

The beneficiary VASP shall report to the Financial Reporting Authority and to the relevant Supervisory Authority any decision to restrict or terminate its business relationship with that originating VASP. 

4. Suspicious Activity Reporting 

A receipt of incomplete information about the originator by the beneficiary will be considered as a factor in assessing whether a transfer of virtual assets is suspicious. Should the transaction be ultimately deemed as suspicious, that transaction will need to be reported to the Financial Reporting Authority.  

A VASP that controls both the originating and beneficiary VASPs shall: 

• Consider the information from both originating and beneficiary VASPs to determine whether a suspicious activity report (“SAR”) should be filed 
• File the SAR in the country:
  • From which the transfer of virtual assets originated 
  • To which the transfer of virtual assets was destined
  • Make relevant transaction information available to the Financial Reporting Authority and the relevant authorities in the country
    • From which the transfer originated 
    • To which it was destined

5. Requirements for intermediaries

An intermediary VASP participating in a transfer of virtual assets will need to ensure that all information received on the originator and the beneficiary that accompanies a transfer of virtual assets is kept with the transfer of virtual assets. Intermediary VASPs will also be required to: 

• Take reasonable measures, consistent with straight-through processing, to identify transfers of virtual assets that lack required originator or beneficiary information 
• Adopt risk-based policies and procedures for determining, where the required originator or beneficiary information is incomplete or missing:
  • When to execute, reject or suspend a transfer of virtual assets and the resulting procedures to be applied from this decision
• Keep a record of all information received from the originating VASP, obliged entity or other intermediary, for at least five years if technical limitations prevent them from sending the required originator or beneficiary information with the transfer of virtual assets

6. Reporting requirements of Supervisory Authorities 

The Revisions introduce a new section focusing on annual reporting requirements for Supervisory Authorities. Those reports will need to be submitted to the Anti-Money Laundering Steering Group no later than three months after the Supervisory Authority’s financial year-end.   

Such annual reports will cover:  

• Number of persons (legal and natural) supervised by the Supervisory Authority 
• Relevant financial business carried on by persons supervised by the Supervisory Authority and its methodology for risk rating such persons 
• Number of contraventions of the Regulations by persons supervised by Supervisory Authority 
• Number of inspections of persons for the purposes of the Regulations conducted by the Supervisory Authority 
• Number and amount of fines imposed by the Supervisory Authority  
• Number of times that the Supervisory Authority has exercised its enforcement powers  
• Number of persons under the supervision of the Supervisory Authority who, following the exercise of enforcement powers by the Supervisory Authority, have contravened the requirements imposed by such enforcement measures
• Activities that the Supervisory Authority has engaged in to educate persons under its supervision with respect to their responsibilities under the Regulations
• AML/CFT and combating proliferation financing training and development undertaken within the Supervisory Authority 
• Summary of any AML/CFT and combating proliferation risk assessments conducted for sectors under the supervision of the Supervisory Authority during the relevant period 
• Any updates to the description of indications which may suggest that a transfer of criminal funds is taking place in the sectors under the supervision of the Supervisory Authority

How can we help you 

• AML Assurance
• Managed Due Diligence